how to access a server in a VPN from a home computer via a separate notebook with the vpn connection
For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.
Obviously, no IT department is helping you with such a problem.
linux vpn remote ssh-tunneling
add a comment |
For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.
Obviously, no IT department is helping you with such a problem.
linux vpn remote ssh-tunneling
why don't you ask the IT department for help?
– jsotola
Jan 10 at 3:40
add a comment |
For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.
Obviously, no IT department is helping you with such a problem.
linux vpn remote ssh-tunneling
For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.
Obviously, no IT department is helping you with such a problem.
linux vpn remote ssh-tunneling
linux vpn remote ssh-tunneling
edited yesterday
U.V.
asked Jan 10 at 0:25
U.V.U.V.
7114
7114
why don't you ask the IT department for help?
– jsotola
Jan 10 at 3:40
add a comment |
why don't you ask the IT department for help?
– jsotola
Jan 10 at 3:40
why don't you ask the IT department for help?
– jsotola
Jan 10 at 3:40
why don't you ask the IT department for help?
– jsotola
Jan 10 at 3:40
add a comment |
2 Answers
2
active
oldest
votes
If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts
add a comment |
There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.
So to get from
Workstation <-> Notebook <-> Company Network
we need an extra system on N which plays the router to connect the separate networks.
We need an additional VM on the Notebook with 2 network ports.
One is connected to the host network via NAT,
the other connected to the LAN via a bridged connection.
So we can get a connection as
W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN
This can be configured via ssh config.
An example with some bogus IPs.
W = 192.0.0.3 <LAN> VM1 = 192.0.0.2
VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0
This is the description of the network hops between the system.
So to connect to a server in the CN we need to solve 2 separate steps.
We need to setup ssh configurations for the intermediate hops.
.ssh/config entries:
# reaching the VM
Host VM
User vmuser
IdentityFile ~/.ssh/vm_id_rsa
ForwardX11 yes
# reaching a host inside the CN
Host CNhost
User companyuser
IdentityFile ~/.ssh/cnhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A vm nc %h %p 2> /dev/null
Another important issue is the correct routing within the VM.
The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.
vm$ ip route
default via 10.0.0.1 metric 100
10.0.0.0/24 dev nat1 metric 100
192.0.0.0/24 dev bridge1 metric 99
Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
A classical jumphost configuration.
For that we need another .ssh/config entry
# reaching a host on a CN internal network
Host CNInternalhost
User cnInternalUser
IdentityFile ~/.ssh/cninternalhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
Now we should be able to simply ssh into the CNInternalhost.
If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)
But we also want to access a service on this internalhost directly from our local workstation!
For this we now create the tunnel using the hops preconfigured in the .ssh/config
ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost
Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >
If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.
echo 192.0.0.3 ServerX >> /etc/hosts
This also requires an additonal .ssh/config entry:
# configuring another host on the CN internal network
Host serverX
User cnInternalUser
IdentityFile ~/.ssh/serverX_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
with this ssh config we can now create a tunnel like this
ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost
as long as serverX is accessible from CNhost.
And we can do a:
$ wget serverX:<portOnLocalhost>
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493582%2fhow-to-access-a-server-in-a-vpn-from-a-home-computer-via-a-separate-notebook-wit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts
add a comment |
If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts
add a comment |
If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts
If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts
answered Jan 10 at 1:55
Jonathan RouleauJonathan Rouleau
744
744
add a comment |
add a comment |
There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.
So to get from
Workstation <-> Notebook <-> Company Network
we need an extra system on N which plays the router to connect the separate networks.
We need an additional VM on the Notebook with 2 network ports.
One is connected to the host network via NAT,
the other connected to the LAN via a bridged connection.
So we can get a connection as
W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN
This can be configured via ssh config.
An example with some bogus IPs.
W = 192.0.0.3 <LAN> VM1 = 192.0.0.2
VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0
This is the description of the network hops between the system.
So to connect to a server in the CN we need to solve 2 separate steps.
We need to setup ssh configurations for the intermediate hops.
.ssh/config entries:
# reaching the VM
Host VM
User vmuser
IdentityFile ~/.ssh/vm_id_rsa
ForwardX11 yes
# reaching a host inside the CN
Host CNhost
User companyuser
IdentityFile ~/.ssh/cnhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A vm nc %h %p 2> /dev/null
Another important issue is the correct routing within the VM.
The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.
vm$ ip route
default via 10.0.0.1 metric 100
10.0.0.0/24 dev nat1 metric 100
192.0.0.0/24 dev bridge1 metric 99
Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
A classical jumphost configuration.
For that we need another .ssh/config entry
# reaching a host on a CN internal network
Host CNInternalhost
User cnInternalUser
IdentityFile ~/.ssh/cninternalhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
Now we should be able to simply ssh into the CNInternalhost.
If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)
But we also want to access a service on this internalhost directly from our local workstation!
For this we now create the tunnel using the hops preconfigured in the .ssh/config
ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost
Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >
If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.
echo 192.0.0.3 ServerX >> /etc/hosts
This also requires an additonal .ssh/config entry:
# configuring another host on the CN internal network
Host serverX
User cnInternalUser
IdentityFile ~/.ssh/serverX_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
with this ssh config we can now create a tunnel like this
ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost
as long as serverX is accessible from CNhost.
And we can do a:
$ wget serverX:<portOnLocalhost>
add a comment |
There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.
So to get from
Workstation <-> Notebook <-> Company Network
we need an extra system on N which plays the router to connect the separate networks.
We need an additional VM on the Notebook with 2 network ports.
One is connected to the host network via NAT,
the other connected to the LAN via a bridged connection.
So we can get a connection as
W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN
This can be configured via ssh config.
An example with some bogus IPs.
W = 192.0.0.3 <LAN> VM1 = 192.0.0.2
VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0
This is the description of the network hops between the system.
So to connect to a server in the CN we need to solve 2 separate steps.
We need to setup ssh configurations for the intermediate hops.
.ssh/config entries:
# reaching the VM
Host VM
User vmuser
IdentityFile ~/.ssh/vm_id_rsa
ForwardX11 yes
# reaching a host inside the CN
Host CNhost
User companyuser
IdentityFile ~/.ssh/cnhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A vm nc %h %p 2> /dev/null
Another important issue is the correct routing within the VM.
The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.
vm$ ip route
default via 10.0.0.1 metric 100
10.0.0.0/24 dev nat1 metric 100
192.0.0.0/24 dev bridge1 metric 99
Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
A classical jumphost configuration.
For that we need another .ssh/config entry
# reaching a host on a CN internal network
Host CNInternalhost
User cnInternalUser
IdentityFile ~/.ssh/cninternalhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
Now we should be able to simply ssh into the CNInternalhost.
If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)
But we also want to access a service on this internalhost directly from our local workstation!
For this we now create the tunnel using the hops preconfigured in the .ssh/config
ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost
Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >
If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.
echo 192.0.0.3 ServerX >> /etc/hosts
This also requires an additonal .ssh/config entry:
# configuring another host on the CN internal network
Host serverX
User cnInternalUser
IdentityFile ~/.ssh/serverX_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
with this ssh config we can now create a tunnel like this
ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost
as long as serverX is accessible from CNhost.
And we can do a:
$ wget serverX:<portOnLocalhost>
add a comment |
There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.
So to get from
Workstation <-> Notebook <-> Company Network
we need an extra system on N which plays the router to connect the separate networks.
We need an additional VM on the Notebook with 2 network ports.
One is connected to the host network via NAT,
the other connected to the LAN via a bridged connection.
So we can get a connection as
W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN
This can be configured via ssh config.
An example with some bogus IPs.
W = 192.0.0.3 <LAN> VM1 = 192.0.0.2
VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0
This is the description of the network hops between the system.
So to connect to a server in the CN we need to solve 2 separate steps.
We need to setup ssh configurations for the intermediate hops.
.ssh/config entries:
# reaching the VM
Host VM
User vmuser
IdentityFile ~/.ssh/vm_id_rsa
ForwardX11 yes
# reaching a host inside the CN
Host CNhost
User companyuser
IdentityFile ~/.ssh/cnhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A vm nc %h %p 2> /dev/null
Another important issue is the correct routing within the VM.
The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.
vm$ ip route
default via 10.0.0.1 metric 100
10.0.0.0/24 dev nat1 metric 100
192.0.0.0/24 dev bridge1 metric 99
Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
A classical jumphost configuration.
For that we need another .ssh/config entry
# reaching a host on a CN internal network
Host CNInternalhost
User cnInternalUser
IdentityFile ~/.ssh/cninternalhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
Now we should be able to simply ssh into the CNInternalhost.
If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)
But we also want to access a service on this internalhost directly from our local workstation!
For this we now create the tunnel using the hops preconfigured in the .ssh/config
ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost
Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >
If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.
echo 192.0.0.3 ServerX >> /etc/hosts
This also requires an additonal .ssh/config entry:
# configuring another host on the CN internal network
Host serverX
User cnInternalUser
IdentityFile ~/.ssh/serverX_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
with this ssh config we can now create a tunnel like this
ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost
as long as serverX is accessible from CNhost.
And we can do a:
$ wget serverX:<portOnLocalhost>
There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.
So to get from
Workstation <-> Notebook <-> Company Network
we need an extra system on N which plays the router to connect the separate networks.
We need an additional VM on the Notebook with 2 network ports.
One is connected to the host network via NAT,
the other connected to the LAN via a bridged connection.
So we can get a connection as
W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN
This can be configured via ssh config.
An example with some bogus IPs.
W = 192.0.0.3 <LAN> VM1 = 192.0.0.2
VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0
This is the description of the network hops between the system.
So to connect to a server in the CN we need to solve 2 separate steps.
We need to setup ssh configurations for the intermediate hops.
.ssh/config entries:
# reaching the VM
Host VM
User vmuser
IdentityFile ~/.ssh/vm_id_rsa
ForwardX11 yes
# reaching a host inside the CN
Host CNhost
User companyuser
IdentityFile ~/.ssh/cnhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A vm nc %h %p 2> /dev/null
Another important issue is the correct routing within the VM.
The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.
vm$ ip route
default via 10.0.0.1 metric 100
10.0.0.0/24 dev nat1 metric 100
192.0.0.0/24 dev bridge1 metric 99
Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
A classical jumphost configuration.
For that we need another .ssh/config entry
# reaching a host on a CN internal network
Host CNInternalhost
User cnInternalUser
IdentityFile ~/.ssh/cninternalhost_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
Now we should be able to simply ssh into the CNInternalhost.
If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)
But we also want to access a service on this internalhost directly from our local workstation!
For this we now create the tunnel using the hops preconfigured in the .ssh/config
ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost
Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >
If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.
echo 192.0.0.3 ServerX >> /etc/hosts
This also requires an additonal .ssh/config entry:
# configuring another host on the CN internal network
Host serverX
User cnInternalUser
IdentityFile ~/.ssh/serverX_id_rsa
ForwardX11 yes
ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null
with this ssh config we can now create a tunnel like this
ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost
as long as serverX is accessible from CNhost.
And we can do a:
$ wget serverX:<portOnLocalhost>
answered yesterday
U.V.U.V.
7114
7114
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493582%2fhow-to-access-a-server-in-a-vpn-from-a-home-computer-via-a-separate-notebook-wit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
why don't you ask the IT department for help?
– jsotola
Jan 10 at 3:40